Skip to content
iDiscovery Solutions, Illinois' Supreme Court, Illinois, Biometric Information Privacy Act (BIPA), Biometric Information Privacy Act, BIPA, Biometric Information, BIPA case, Illinois Biometric Information Privacy Act

The Illinois Supreme Court recently issued a decision in Cothron v. White Castle System, Inc., which could have significant implications for the state’s litigation landscape and business environment. The case concerned an alleged violation of Illinois’ Biometric Information Privacy Act (BIPA) by White Castle, a fast-food restaurant chain, in connection with its use of fingerprint scanning technology for employee timekeeping purposes.

BIPA requires companies to obtain informed written consent from individuals before collecting, using, or storing their biometric information, such as fingerprints or facial scans. In addition, the law imposes specific notice and data retention requirements, as well as a private right of action that allows individuals to sue for damages if their rights are violated.

In the Cothron case, the plaintiff alleged that White Castle violated BIPA by failing to provide proper notice and obtain consent before collecting and storing her fingerprint data. The trial court dismissed the case, but the appellate court reversed and remanded it for further proceedings. White Castle appealed the decision to the Illinois Supreme Court, which ultimately affirmed the appellate court’s ruling.

The Supreme Court’s decision in Cothron v. White Castle System, Inc. could have significant implications for companies doing business in Illinois.

First, it clarifies that a plaintiff does not need to show actual harm or injury to bring a BIPA claim. Instead, a violation of the law’s notice and consent requirements is sufficient to establish standing. This could potentially open the door to more BIPA lawsuits, as plaintiffs may be more willing to sue even if they have not suffered any actual harm.

Second, the decision emphasizes the importance of complying with BIPA’s notice and consent requirements. The Court rejected White Castle’s argument that the plaintiff’s claim was moot because the company had provided proper notice and obtained consent after the lawsuit was filed. The Court held that the violation had already occurred when the data was collected without proper notice and consent, and that the plaintiff was entitled to seek damages for that violation.

Third, the decision clarifies the scope of the law’s statutory damages provision. BIPA allows for damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation. The Court held that these damages are not subject to a cap or limit, which could potentially result in significant liability for companies that violate the law.

While the Cothron decision could provide more protection for individuals’ biometric privacy, it may also have a chilling effect on businesses operating in Illinois. The potential for significant damages, combined with the lack of a harm requirement, could incentivize plaintiffs’ attorneys to file more BIPA lawsuits. This could result in increased litigation costs for companies, which could in turn lead to higher prices for consumers and a more challenging business environment for Illinois-based companies.

In addition, the decision could encourage other states to adopt similar laws and interpretations, potentially creating a patchwork of different biometric privacy laws across the country. This could create compliance challenges for companies with operations in multiple states and increase the risk of litigation.

Overall, the Cothron decision highlights the importance of companies taking proactive steps to comply with BIPA and other biometric privacy laws. This may include implementing robust data security and retention policies, obtaining informed written consent from individuals, and providing clear and conspicuous notice of data collection practices. Companies that fail to do so may face significant legal and financial consequences, as well as reputational harm in an age when data privacy and security are top of mind for many consumers.

Summary Around Compliance

To ensure compliance with the Illinois Biometric Information Privacy Act (BIPA), companies should consider taking the following steps:

Establish policies and procedures: Create policies and procedures that outline how biometric information will be collected, used, and stored. This should include clear and conspicuous notice to individuals about how their information will be collected, used, and stored, as well as the purpose of the collection.

Obtain informed written consent: Obtain informed written consent from individuals before collecting, using, or storing their biometric information. The consent should be specific and clearly describe the purpose of the collection, how the information will be used, and how it will be stored.

Implement safeguards: Implement technical, administrative, and physical safeguards to protect biometric information. This may include encrypting data, limiting access to biometric information, and implementing secure data storage practices.

Develop retention policies: Establish policies for how long biometric information will be retained and when it will be destroyed. BIPA requires that biometric information be destroyed when the purpose of the collection has been satisfied, or within three years of the individual’s last interaction with the company, whichever occurs first.

Conduct regular audits: Conduct regular audits to ensure that the company is complying with BIPA and other relevant laws and regulations. This may include reviewing policies and procedures, monitoring data collection practices, and ensuring that employees are trained on how to handle biometric information.

By taking these steps, companies can help ensure that they are in compliance with BIPA and are taking appropriate measures to protect individuals’ biometric information. Failure to comply with BIPA can result in significant legal and financial consequences, as well as reputational harm. Therefore, it is important for companies to take biometric privacy seriously and to establish comprehensive compliance programs to mitigate risk.

Summary Around Discovery & Data Sources

What are common data sources that are discovered as part of a BIPA litigation?

In a Biometric Information Privacy Act (BIPA) litigation, a range of data sources may be discovered, depending on the scope of the case and the information being sought. Some common data sources that may be subject to discovery in a BIPA case include:

Biometric data: This is the primary data that is the subject of BIPA litigation, and may include fingerprints, facial scans, and other biometric information that a company collects from individuals. This data may be stored on physical devices, such as scanners, or in electronic databases.

Employee records: Employee records may be subject to discovery if they contain information related to biometric data collection, such as consent forms, policies and procedures related to data collection and storage, and training materials for employees.

Technical specifications: Technical specifications related to biometric data collection and storage may be relevant in a BIPA case, including details about the hardware and software used to collect, store, and protect the data.

IT systems: IT systems may be subject to discovery in a BIPA case, including data storage systems, backup systems, and data access logs. This information may be used to demonstrate how data is being collected, used, and protected, and whether any breaches or unauthorized access occurred.

Email and other electronic communications: Emails and other electronic communications may be relevant in a BIPA case if they contain discussions related to biometric data collection, storage, or handling. This may include emails between employees, emails to vendors or contractors, and communications related to the development or implementation of biometric data systems.

Vendor and contractor agreements: Vendor and contractor agreements may be relevant in a BIPA case if they contain provisions related to biometric data collection and storage. This information may be used to determine whether the company took appropriate measures to protect biometric data and whether vendors or contractors were properly vetted and managed.

It’s important to note that the data sources subject to discovery in a BIPA case will vary depending on the specifics of the case and the information being sought. Therefore, companies should take a comprehensive approach to data collection, storage, and handling, and establish appropriate policies and procedures to protect biometric data and minimize the risk of litigation.

If you would like to schedule a call with one of our experts to discuss how this information might affect one of your clients or cases, please visit

iDS provides consultative data solutions to corporations and law firms around the world, giving them a decisive advantage – both in and out of the courtroom. Our subject matter experts and data strategists specialize in finding solutions to complex data problems – ensuring data can be leveraged as an asset and not a liability.